| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | no eu_entity (UK third-country incorporation/operations), but a genuine EU operational nexus via the German parent United Internet AG / IONOS (which engineers the CloudNX platform) -> SOV-1.1 opt2 'mostly outside EU' (seal 1); contracting entity, data centre and staff sit in the UK. (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Owned since 2006 by German United Internet AG (an EU/EEA group), so a transfer to a non-EU sovereign entity is unlikely; main residual risk is the UK operating base. (SOV-1.2 all-seal-4, choice kept.) |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No formal customer governance bodies; roadmap influence limited to voice-of-the-customer channels for a commercial mass-market host -> SOV-1.3 opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Backed by United Internet AG, a publicly listed German (EU) group, so the majority of funding is EU-based. (SOV-1.4 all-seal-4, choice kept.) |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Economic contribution (jobs, data centre, taxes) is concentrated in the UK third country; the EU benefits only indirectly via the German parent. (SOV-1.5 all-seal-4, choice kept.) |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs (Gaia-X, IPCEI-CIS); UK commercial host with no EU strategic engagement. (SOV-1.6 all-seal-4, choice kept.) |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No action plan aligning Fasthosts with EU industrial strategies; positions itself as a UK web host. (SOV-1.7 all-seal-4, choice kept.) |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | no own_stack in EU-jurisdiction terms: owns its own UK Tier IV data centre and CloudNX platform (EU-parent maintained) so it could continue temporarily, but real non-EU dependencies (chips/OS/hypervisor) and UK base mean no full autonomy -> SOV-1.8 opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | no EU jurisdiction: contracts governed by the law of England and Wales (UK, non-EU); not exclusively EU law -> SOV-2.1 opt1 (seal 1, ceiling). (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | no immunity (UK Investigatory Powers Act exposure; no SecNumCloud/EUCS-High; UK operational nexus); GDPR adequacy + contract clauses mitigate but exposure remains -> SOV-2.2 opt2 (seal 1). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | medium | no immunity: under the UK Investigatory Powers Act (technical capability/national security notices) authorities can compel access in specific cases, possibly with non-disclosure; no published always-reject policy -> SOV-2.3 opt2 (seal 1, ceiling). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | no eu_exclusive: as a non-EU (UK) provider the offer is not specifically shielded from non-EU export controls affecting EU citizens/orgs, and UK-billed revenue is not >50% in the EU; no EU-MS-specific restriction identified -> SOV-2.4 opt2 (seal 1). Normalised with the UK cluster. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core CloudNX/IONOS software IP is German (EU) but OS, hypervisor and hardware IP are largely non-EU -> mixed within/outside-EU IP origin, SOV-2.5 opt3. (all-seal-4 factor.) |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | IP held across the United Internet group (German/EU) and third-party vendors under non-EU law (US software licences) -> mixed law with some EU, SOV-2.6 opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | Standard IaaS/hosting: encryption is primarily provider-managed, no advertised customer-exclusive HYOK/BYOK preventing provider access -> SOV-3.1 opt2 (seal 1). |
| SOV-3.2 | Transparent data flows & access logs | 2. Basic incomplete logs | 50/200 | SEAL-1 | low | Basic control-panel access/activity logging only; no comprehensive real-time independently auditable data-flow logs -> SOV-3.2 opt2 (seal 1). |
| SOV-3.3 | Secure deletion & proof of erasure | 2. Manual confirmation only | 50/200 | SEAL-1 | low | Deletion on account termination with manual confirmation; no published cryptographic proof-of-erasure -> SOV-3.3 opt2 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | no eu_exclusive: customer data is hosted in Fasthosts' UK (Worcester) data centre, a third country, not EU/EEA, with no EU-exclusivity guarantee -> third-country hosting with safeguards, SOV-3.4 opt2 (seal 0), per key anchor 'no EU-exclusivity guarantee -> SEAL-0'. Normalised with the UK-only cluster members. (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service: Fasthosts has no significant in-house AI offering, so there is no foreign-AI/black-box model dependency to penalise -> key judgment-call #2 maps 'no in-scope AI service' to opt4 (seal 3). Normalised with the no-AI cluster members (Brightbox, Pulsant). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented data-export/backup methods with common OS/stacks (Linux, Windows, standard VMs) -> documented portability, SOV-4.1 opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | no eu_ops: critical operations run from the UK third country (platform engineered by the German parent), not a fully EU-based operational team -> SOV-4.2 opt2 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | no eu_ops: engineering/operations staff concentrated in the UK (non-EU); from an EU perspective the skill base is majority outside the EU/EEA -> SOV-4.3 opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | no eu_ops: support delivered by UK-based teams (Gloucester, third country), so majority of support staff sit outside the EU/EEA -> SOV-4.4 opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are English and UK-hosted with no enforced EU-only handling; EU residency optional at best -> SOV-4.5 opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Own Tier IV data centre plus German-parent supply relationships mean the service could continue temporarily under contract if a single non-EU supplier failed, though the supplier base is not EU-confined -> SOV-4.6 opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware components (HPE/Juniper) sourced from non-EU vendors with only partial public provenance disclosure -> SOV-5.1 opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and network gear manufactured by foreign OEMs (HPE, Juniper) outside the EU, partial disclosure -> SOV-5.2 opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS and embedded code in commodity servers/network kit come from non-EU OEMs with limited provenance disclosure -> SOV-5.3 opt2. (all-seal-4 factor, choice kept.) |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | low | no foreign_core for the control plane: the CloudNX control-plane software is developed/maintained by the German (EU) IONOS group, so core essential software is EU-maintained while OS/hypervisor layers remain foreign -> SOV-5.4 opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | Platform software built/released under EU control by the German parent while underlying components remain non-EU -> non-EU control with substantial EU execution, SOV-5.5 opt3 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | A few non-EU vendors in critical layers (chips, OS, hypervisor, network hardware), but documented standard products rather than a single undocumented dependency -> SOV-5.6 opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers and the ISO 27001/Tier IV facility are auditable, but the full upstream hardware/software chain is not broadly customer-auditable -> SOV-5.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | low | CloudNX exposes APIs and supports standard OS images/tooling -> partial openness, not open-by-default or fully portable, SOV-6.1 opt3 (seal 2). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Common open standards (HTTP, TLS, standard VM/storage formats, DNS) used for core services, but no published policy mandating open standards across all services -> SOV-6.2 opt3 (seal 2). |
| SOV-6.3 | Open source availability | 1. Fully closed-source, vendor-controlled | 0/200 | SEAL-2 | low | The CloudNX control plane and management software are proprietary and vendor-controlled; not an open-source-centric provider -> SOV-6.3 opt1 (seal 2). |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Architecture detail shared mainly under audit/commercial engagement; only marketing-level public insight -> SOV-6.4 opt2 (seal 2). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No dedicated/in-scope HPC service -> treated as no-in-scope-HPC, SOV-6.5 opt2 (seal 3) per key rather than imported black-box. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | low | no qualifying cert: holds ISO 27001 and Uptime Tier IV but no Common Criteria EAL, SecNumCloud or EUCS evaluation -> effectively EAL0/none, SOV-7.1 opt1 (seal 1). (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Complies with (UK) GDPR/DPA and holds ISO 27001 -> moderate adherence; no evidence of full independently audited NIS2/DORA, SOV-7.2 opt3. (all-seal-4 factor.) |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | low | Security operations run by UK-based teams (third country) with no ENISA/CSIRT integration; closest to a primary SOC outside the EU -> SOV-7.3 opt3 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 2. Customers receive periodic reports | 36/143 | SEAL-1 | low | Control-panel monitoring and periodic reporting rather than full direct access to immutable EU-stored security logs -> SOV-7.4 opt2 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure follows GDPR/UK breach-notification duties -> moderate NIS2/GDPR-aligned disclosure without real-time CSIRT sharing, SOV-7.5 opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operator of its own data centre and platform -> moderate maintenance autonomy with scheduled/notified windows and testing, SOV-7.6 opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | no audit_rights: independent audit limited to certification bodies (ISO 27001, Uptime Institute), not open audit by the contracting authority or any independent EU body -> SOV-7.7 opt2 (seal 1, ceiling). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Modern Tier IV Worcester data centre (£21M, opened 2022) designed for high efficiency with onsite solar and a sustainability roadmap; PUE <1.5 + roadmap plausible -> SOV-8.1 opt3 (seal 4). (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | Sustainability messaging (carbon-compensated construction, modern facility) indicates basic circular practices, but no documented hardware reuse/recycling program -> SOV-8.2 opt2 (seal 0). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Some environmental claims published (renewable energy, carbon compensation) but no comprehensive methodology-based annual environmental report for Fasthosts itself -> SOV-8.3 opt2 (seal 1). |
| SOV-8.4 | Energy supplies | 2. Only EU energy supplies | 63/250 | SEAL-4 | medium | Worcester data centre reported to run on 100% renewable energy sourced in the UK (local, non-EU, onsite solar covering up to 10%); traceable single-region renewable supply, SOV-8.4 opt2. (all-seal-4 factor, choice kept.) (src: https://www.ionos.co.uk/newsroom/news/ionos-and-fasthosts-achieve-tier-iv-certification-for-worcester-data-centre/) |